An Access Control List (ACL) is an ordered collection of Access Control Entries (ACEs) that apply to an object.
Each Access Control Entry (ACE) in an ACL identifies a trustee, such as a user account, group account, or logon session, and specifies the access rights that are allowed, denied, or audited for that trustee.
A Discretionary Access Control List (DACL) determines who can access an object by containing ACEs.
When a process requests access, the system checks the DACL's ACEs to decide whether to grant or deny access.
If there is no DACL, full access is granted to everyone; however, if the DACL exists but has no ACE entries, access is denied.
The system sequentially checks the ACEs until access is either allowed or denied.
Additionally, System Access Control Lists (SACLs) allow administrators to log access attempts to secured objects.
The ACEs in SACLs specify the types of access attempts that trigger the system to generate a record in the security event log.
Summary:
- An Access Control List (ACL) is a collection of entries specifying access rights for trustees
- Discretionary Access Control List (DACL) defines access permissions.
- System Access Control Lists (SACLs) enable logging of access attempts to secured objects.